我想要做什么:现在我正在使用一个自签名的SSL证书,这很好。 但是我想用正式的lets encrypt来代替它们。
我有什么(自签名证书):这是我现在有ssl的重要设置(local.ini)的输出:
[daemons] ; enable SSL support by uncommenting the following line and supply the PEM's below. ; the default ssl port CouchDB listens on is 6984 httpsd = {couch_httpd, start_link, [https]} [ssl] cert_file = /etc/couchdb/certs/server.crt // these are my self made certificates key_file = /etc/couchdb/certs/server.key // these are my self made certificates ; set to true to validate peer certificates verify_ssl_certificates = false ; Path to file containing PEM encoded CA certificates (trusted ; certificates used for verifying a peer certificate). May be omitted if ; you do not want to verify the peer. ;cacert_file = /full/path/to/cacertf ; The verification fun (optional) if not specified, the default ; verification fun will be used. ;verify_fun = {Module, VerifyFun} ; maximum peer certificate depth ssl_certificate_max_depth = 1
我试过的(让encryption):在按照让我encryption的文档后,我有一个文件夹/etc/letsencrypt/live/[domain]与以下文件:
-cert.pem // seems to be the public certificate -chain.pem // seems to be the public certificate from the keychain -fullchain.pem // seems to be the cert.pem + chain.pem -privkey.pem // seems to be the private certificate
所以我试图用local.ini中的旧证书replace新的证书
[ssl] cert_file = /etc/letsencrypt/live/[domain]/cert.pem // new certificate key_file = /etc/letsencrypt/live/[domain]/privkey.pem // new certificate
问题:在重新启动CouchDB之后,非SSL方式端口5984仍然工作。 但是对于端口6984上的SSL,我在chrome中出现connection reset error 。 PS:我也使用相同的letsencrypt证书为我的nginx,他们在哪里工作完美。
有任何想法吗?
Openssldebugging信息:
1)SSL和自签名证书,我得到一个证书printent和我input了很多信息一次。
2)没有SSL和letsencrypt openssl s_client -connect localhost:5984
CONNECTED(00000003) 140581663061872:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 207 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
3)使用SSL和letsencrypt openssl s_client -connect localhost:6984
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 207 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
与couchDB 1.6.x
将/ etc / letsencrypt / archive / xxxx文件复制到/ var / lib / couchdb / cert /
检查CouchDB的访问权限
将以下值放在/usr/local/etc/couchdb/local.ini中
cert_file = /var/lib/couchdb/cert1/cert1.pem
key_file = /var/lib/couchdb/cert1/privkey1.pem
cacert_file = /var/lib/couchdb/cert1/fullchain1.pem
我发现的唯一select是: